Best Practices for Applying Updates and Releases on a Smoothwall Filter and Firewall

Installing updates and releases on a Smoothwall is fairly simple, but sometimes you need to take a bit of extra care. Specifically in cases where multiple Smoothwall systems need to be updated in a cluster or in a hardware failover setup. This article explains the best practices for applying both updates and new releases on any type of Smoothwall setup.

Updates and releases - what's the difference?

A new release is when a major new feature and/or rework of existing features have been performed. Releases are named after famous castles like Hearst, Inverness, Leeds etc. They are released in alphabetical order.

An update is a smaller package which contains bug fixes and security updates. Updates are specific to a release version so you will see Leeds updates to signify the update level of a release. At the time of writing, the latest release and update version is Leeds 12. Leeds is the release. 12 is the update level.

General recommendations

When a new release or update is available, always read the description first. Next to the installation button for releases and updates, you will find a "Details" button. Click on this to get a description of what the release or update contains. Always read this as the description may contain specific update instructions that should be used, rather than the procedures shown in this article.

When an update or a release in installed, the Smoothwall system will take a snapshot of the current system before applying the update or release. If there are any issues after updating to the latest version, reverting to your previous version is always possible in the "System » Maintenance » System restore" section. A manual snapshot can also be created here. This can be useful if you are looking at a major reconfiguration and would like to be able to revert, in case anything goes wrong.

Whenever multiple updates and releases are available on a system that has not been updated in a while, it is possible to update to the latest release immediately. You do not need to first apply updates for the current release and then apply each release version in turn.

Updates can be scheduled to be installed automatically when they become available. Releases can not be scheduled. Releases could change the way features work so it's important to read the description and resolve any questions that may arise from the description, before applying new releases.

Updating a single system

Read the detailed description, which also gets shown when you click the install button. Once you have read the description, determine if now is the right time to install the update/release. Once the installation has begun, it cannot be stopped and a reboot will be initiated once the update or release have been installed. This will happen automatically once the system is ready - the reboot time cannot be set. Once the reboot has completed, the Smoothwall system will have been updated to the latest release and update level.

Updating a hardware failover setup

Updating both systems in a hardware failover setup needs to follow a specific sequence as the failover system needs to be updated before the master. When an update or a release is installed, it's a good idea to perform a failover test as well. Follow this sequence in order to apply updates and perform a failover test.

Once the failover system is updated and rebooted, it should come back in passive mode. Access the failover GUI again and confirm that the update/release has been installed successfully.

Access the master GUI and navigate to the "System » Hardware » Failover" section and use the "Enter Standby" button to enter passive mode on the master. This will trigger the failover system to enter active mode. This is the start of the failover test.

Test that the failover system has entered active mode correctly and that all services are functioning as expected. The failover system should have everything working after 2-3 minutes. It is important to verify that all services are running and that the failover system is working as expected as this is the final step before applying the updates on the master.

If the failover system does not pass testing, navigate to "System » Hardware » Failover" and use the "Enter Standby" button to revert back to having the master in active mode. Call support so we can help you troubleshoot any issues the failover system may have.

Once the failover has passed testing, install the updates/releases on the master system. Now that the master is in passive mode, the GUI of the master system can be accessed using this url: HTTPS://ip.address.of.smoothwall:440

Once the install has completed, the master will reboot. If the failover settings have been configured for automatic failback, the master should enter active mode once the reboot is done. If the automatic failback has not been enabled, enter the failover system GUI and use the "Enter Standby" button in the "System - Hardware - Failover" section to push the failover into standby mode and the master into active.

Test that everything is working as expected after the master is active mode and has been updated.

This sequence adds two important things to the update process. A failover test to make sure failover works as expected and allows enough time for the failover system to enter active mode and start all services, before the master is updated. If the master is updated and rebooted while the failover is still in passive mode, rebooting the master will trigger active mode on the failover and the master may come back up before the failover system has finished moving into the active state. This can cause both systems to think they need to be in active mode, which will cause disruption in the network. If this happens, unplug the failover system from all network interfaces except the heartbeat interface and reboot the failover system. If the problem persists after that, please call support.

Updating a cluster setup

When systems that are part of a central management cluster needs to be updated, it's important to update the children first and the parent last. Newer versions will be able to understand older configuration files but the reverse is not always the case - that's why it's important to update children first.

If it is not possible to update a child due to it being offline or other causes and the parent needs to be updated, disable replication to this child from the parent, until the child is ready and updated.

Final words

Unless the description in the update/release specifies otherwise, following the recommendations above should ensure a smooth upgrade to the latest version of your Smoothwall system.